As it is well known, the Popek-Goldberg virtualization theorems identify the sufficient conditions for a computer architecture to support effective compute virtualization. In this blog we will discuss how the principles of this groundbreaking work can be applied in the network layer and define the sufficient conditions for network virtualization.
We will start with the first article of these series, where we will define the characteristics of a virtual network, and one will be able to quickly see the analogy to the virtualization definitions of the Popek-Goldberg theorems:
Based on Popek-Goldberg, there are three properties of interest when analyzing a virtual machine environment:
- Equivalence: Any program running in a virtualized environment should exhibit a behavior that is essentially identical to that of an equivalent physical machine.
- Efficiency: A significant percentage of machine instructions are executed by the hardware without any intervention from a hypervisor.
- Resource control: The hypervisor is in full control of resources such as memory and peripherals, and virtual machines cannot access any such resource unless they are provided with explicit access to the resource.
These three properties are reflected in the choices of micro-processor architectures that include support for virtualization. For example the Intel VT architecture enables the execution of virtual machines where only a small percentage of instructions lead to a trap to the hypervisor, and the majority of instructions are executed without any software intervention.
Similar to processor virtualization, when we look at network virtualization, we can define the corresponding properties:
- Network Equivalence: A virtual network running over a network hypervisor should exhibit a behavior that is identical to that of a dedicated physical infrastructure. Several network virtualization solutions fail to meet this fundamental property since they result in network designs that are not equivalent to a dedicated network design. For example, a network hypervisor does not provide an equivalent network if the routing paths are different and usually much longer than the physical network, or if the performance is inhibited by the lack of proper isolation controls.
- Network Core Efficiency: A statistically dominant fraction of packets must be forwarded without requiring that the physical networks are aware of virtual network functions. For example, any virtualization solution that requires per-tenant state information at the forwarding path of generic network elements does not provide network efficiency. The network hypervisor must also not require multiple packet header translations between physical and virtual networks. Indeed any such translation must not be performed more than once at the edge of the network. Multiple packet header transformations lead to excessive latency and introduce significant control problems. A solution that requires header transformations by the network for traffic between virtual machines is also not following these principles.
- Network Resource Control: The physical network hypervisor must be in complete control of the resources and it must be impossible for virtual networks to interfere with each others performance. The network hypervisor must be able to provide perfect isolation in terms of networking resources such as bandwidth and buffers. A network virtualization solution that does not take into account both performance as well as routing isolation would fail to meet this property.
In the next blog post, we will discuss how some of existing network virtualization techniques break the fundamental properties of network virtualization.